This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 67%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
I have a VMSS that is deployed using ARM. This VMSS has a systemAssigned identity.
In the same ARM template, the keyvault's accesspolicy is updated to allow the VMSS identity to GET,LIST secrets and certificates.
Then, the VMSS extensions are updated via "Microsoft.Compute/virtualMachineScaleSets/extensions" resource using the same ARM template to pullthe certificate from the keyvault into the VMSS.
"secretsManagementSettings": {
"pollingIntervalInS": "300",
"requireInitialSync": true,
"certificateStoreName": "MY",
"certificateStoreLocation": "LocalMachine",
"observedCertificates": "[parameters('keyVaultObservedCertificates')]"
}
This extension seems to be loaded correctly in the Portal UI. But, upon logging in to the individual VMs in the VMSS, I do not see this certificate in any store.
I got this working. In my VMSS template, I'd set the upgradePolicy to manual. It needs to be Automatic.
If you're a newbie like me, you'd also want a healthProbe or an healthExtension specified in your properties.vmProfile.networkProfile.
@Kimaya Kamat Thank you for your question!!!
Assuming that you might be following this to achieve the above and as you mentioned you have provided the required access and parameters as mentioned in document and assuming that for the parameter observed certificate you might have provided URI for certificate uri as mentioned here as well
When this VM is deployed, Azure will inject the certificate into the VM. On Windows, certificates in PFX file are added with the private key not exportable. The certificate is added to the LocalMachine certificate location, with the certificate store that the user provided. More info here. As mentioned here:
Similarly on Linux, the certificate file is placed under the /var/lib/waagent directory, with the file name <UppercaseThumbprint>.crt for the X509 certificate file and <UppercaseThumbpring>.prv for private key. Both of these files are .pem formatted.
Can you check the above and see if you can find certificate as mentioned or not. If possible cross check documentation once to check if there is any parameter value missing.
If issues till persist let me know will work with you further on this one.
Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.
Hi @prmanhas-MSFT ,
Thanks for the answer. Yes, I've followed the documents and added a "systemAssigned" identity to the VMSS. Then set this identity in the KeyVault's access policies.
My issue is this works perfectly on a Virtual Machine resource. But not on a Virtual Machine Scale Set instance.
@Kimaya Kamat Thank you for responding back. I will reach out to internal team and will keep you posted with update.
Thanks